Hi Joe, thanks for the review. Comments inline. On 6/25/17 11:50 PM, Joseph Salowey wrote: > Reviewer: Joseph Salowey > Review result: Has Nits > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > The summary of the review is document is ready with nits. > > This document is an update to RFC 7613. A few Minor comments: > > 1. I think it would be good to show the zero-length password is not allowed > in > table 4 (18 | <> | zero-length password). There are lots of cases where > allowing zero-length passwords has led to problems. Disallowing zero-length > passwords is helpful.
Good point - we'll add that. > 2. Comparisons of passwords is a touchy subject. I can't think of a case > where it would be preferable to do a direct password comparison. In most > cases the comparison will be done against a salted-hashed transform of the > password or involve some other cryptographic operation. I think it would be > good to discuss this briefly in the security considerations section, sample > text below > > "Password Comparison > > Verification of passwords during authentication will not use the comparison > defined in section 4.2.3. Instead cryptographic calculations are performed > to > verify the password. In most cases the password will be prepared as in > section 4.2.1 and meet the rules enforced in section 4.2.2 before the > calculations are performed." That's helpful - thanks for the suggested test. A forward pointer from Section 4.2.3 also seems desirable. Peter _______________________________________________ precis mailing list [email protected] https://www.ietf.org/mailman/listinfo/precis
